SEC examiners enter U.S. boardrooms to gauge compliance

April 4, 2012

By Nick Paraskeva

NEW YORK, April 4 (Thomson Reuters Accelus) – The U.S. Securities and Exchange Commission plans to reach into the boardroom to assess a financial firm’s culture of compliance, a senior commission official told a conference in New York.

The agency, departing from traditional practice to take a page from bank regulators, intends to have direct discussions with the firm’s board about the regulatory issues board members and senior management team are paying attention to, and how they are navigating them.“The SEC will expect to look at a firm’s budgets, hiring and firing”, said Carlo di Florio, director of the SEC Office of Compliance Examinations (OCIE). Di Florio was speaking at Fordham Law School’s Corporate Compliance Conference on April 2 in New York.

The commission already has held meetings about risk management with directors at Goldman Sachs and several other financial groups, the Financial Times reported on Tuesday.

The article named Goldman, Morgan Stanley, Barclays, Wells Fargo, Wedbush Securities and credit rating and clearing firms as among those whose directors have met SEC examiners since last summer. It cited sources familiar with the issue, but said di Florio in an interview did not comment on which banks the commission had met.

Di Florio also told Thomson Reuters on the sidelines that the SEC will continue to issue guidelines on best practices, to reflect issues that regularly arise in their exam visits.


OCIE is the office responsible for the SEC’s national exam program, and has 900 professionals across 12 district offices. There are separate exam programs for different types of firm. The program for investment companies and investment advisers now includes private-equity funds and hedge fund managers that were newly required to register with the SEC under the Dodd-Frank law.

OCIE has a separate exam programs for broker dealers and investment banks, which are in addition to inspections conducted by the self-regulatory organization Financial Industry Regulatory Authority. There are also exam programs for exchanges, and self-regulatory organizations (SROs), and for clearing agencies and transfer agents. A specialist SEC unit examines credit-rating agencies and has been expanded following the Dodd-Frank regulatory overhaul.

“The culture of compliance is an elusive concept and a real challenge” but it has a huge impact on how ethically a company performs, di Florio said. He spoke about the fundamentals of compliance process, of culture, and the need to integrate compliance within risk governance and to break down silos.


The SEC starts with a review of a firm’s policies, and the procedures for putting them into effect. Examiners will also look to ensure there is a good policy-management process to reflect business changes, such as moves into new products, geographies, and ventures. Without good governance of policies, they will quickly become irrelevant, which may lead to compliance breakdowns.

Communication and training for relevant staff of what is in the policies is also fundamental, DiFlorio said. There should be careful consideration of what is communicated, rather than just referring to the policy manual. There has been a revolution in training, emphasizing for example, what business people need to know, the role of operations, and senior management responsibilities, with the firm tailoring its training accordingly.

The SEC will also review due diligence, and how the firm assigns responsibility across the organization. A number of global enterprises have extended supply chains, and it is important to assess how diligence is carried out on these service providers and agents, he said. These controls will also be relevant to the firm’s anti-money laundering (AML) compliance, and in managing any conflicts of interest.

Monitoring and testing is important to review if what is written down in policies is actually working and how to prove it is working. A monitoring and testing program shows how seriously a firm takes compliance and integral to this is an escalation process for any findings, and a strong internal whistleblower program.

The form of internal investigation a firm performs when it identifies findings affects how much confidence the SEC has in its approach. The more confident the SEC is, the more likely it will deem it sufficient to monitor actions the firm is already taking. “If we are not confident, we are more likely to do the investigation ourselves” said di Florio.


If a firm’s culture is to promote compliance, it needs to minimize the importance placed on profit and loss in its compliance considerations. The SEC will look at how firms set the tone at the top, and seek evidence of how critical decisions are taken. This is where a compliance discussion with the board and chief executive comes in. “Firms need to change the analysis: from ‘can we do this?’ to ‘should we do this; is it consistent with our core principles?’” di Florio said.

In terms of governance and authority, the SEC will assess who is powerful in an organization. This will be based on who wins the day, is it business side or legal and compliance; which staff gets what office space, and how the bonus pool is allocated. Do compliance staff have sufficient independence, standing, and the resources and expertise they need? Are compliance staffers at the table when the firm is thinking of expanding into new businesses, and where in the order of decision-making is their input sought.

Incentives and rewards are key, and how the reward culture is integrated into ethics. The SEC looks at the chief executive and heads of business, and how their compliance contribution is taken into account in setting their compensation, rather than just financial performance. For the firm as a whole, the principle should apply to treatment of all staff, and business should be charged for capital to reflect riskiness of ventures.


The SEC will consider how compliance fits into the broader risk-governance framework of the firm. This will also assess units such as legal, risk management and internal audit. A firm that operates though discrete silos is not going to be as effective as one where there is dialog by these units with management.

Some of the questions that the SEC will ask in reviewing the level of integration include:

1) How are front line businesses setting the tone of the firm, and what sort of culture do they create.

2) How objectively do compliance and control functions monitor risks and escalate issues that arise.

3) Does internal audit report to the board and provide independent assurance, do they have risk expertise.

4) What regulatory issues is the board and management looking at, and how they are managing those.


(This article was produced by the Compliance Complete service of Thomson Reuters Accelus.  Compliance Complete ( ions/regulatory-intelligence/compliance- complete/) provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 230 regulators and exchanges.)

Nick Paraskeva is principal of Reg-Room LLC (, which provides regulatory information and consultancy.

No comments so far

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see